These may be identity theft attacks. Identity thieves can rack
up bills and commit crimes -- in your name. The resulting damages
of identity fraud can be financially devastating and your privacy
could be seriously compromised. The best defense from identity
theft fraud is to recognize phishing attacks (online and off), do
not respond, and report them.

Recognize And Prevent Phishing In Email

Greeting

The greeting line of a phishing email is typically generic, such
as "Dear (Company) Member". Legitimate emails are usually
personalized, such as "Dear Isaac Newton". If you have done
business with the real company, they know your name. But beware, a
phisher may have found your real name by some other means.

The Sender's Email Address

The sender's email address is not a good indicator of the origin
of an email. Phishers typically (and easily) forge this field.

Tone

Phishers ask you to update, validate, or confirm your
information, often with a false sense of urgency and dire
consequences if you ignore it.

"We are updating our accounts and need information fast."

"An unauthorized transaction has recently occurred on your
account."

"You may lose your account if you don't update your
information."

"Please click here to verify your information."

Legitimate companies will usually ask you to call them at a
verifiable phone number or ask you to login to their website
independently of the email.

You see the company.com part. This URL really goes to
www.scammer.com, which you can't see because the URL string is so
long it goes out of the display. Check
the URLs without clicking.

letter-number substitutions, such as letter O, number 0 or
letter l, number 1.

company name compounded with some other word, such as
http://companytrustme.com. Just because it has the company name in
it does not mean it is from that company.

Legitimate companies use secure domain names (such as
https://www.company.com) whenever sensitive information must be
transfered. Never log into a company through a link in an email
unless you are expecting a verification notice and you are sure it
is from that company. Before submitting any information on a
website, always verify the
security certificate first.

Clicking on a fraudulent link can net the Phisher his catch, and you and your computer are the
phish.

Emails that Look Like Websites

Phishing emails may look like websites and try to get you to
enter your personal information. Legitimate companies will never
ask you to enter personal information in an email.

Style of Writing

Phishers often use poor spelling, bad grammar, missing words and
logic gaps, in an attempt to get around spam filters. Legitimate
businesses use proper business communication, and while they may
not be perfect, the writing is generally far superior to that found
in phishing emails.

Connection Security

When you enter information in a web session, make sure
"https://" (a secure connection) begins the URL. Be sure to
verify the security
certificate. This is not foolproof. Some phishers have forged
security icons.

Pop-up Boxes

Legitimate companies do not (or should not) use popups in email,
as popups may not be secure

Attachments

Attachments in phishing emails are very
dangerous; they may be virus- or spyware-laden. Do not open
these and delete them immediately after reporting the scam.

Look for the lock icon on the lower frame of your browser; on a
secure site it should appear locked. If you click on this, you can
verify the security certificate. In general, browsers recognize
only trustworthy Certificate Authorities, but be aware that
untrustworthy Certificate Authorities can be added manually by
anyone who has access to your computer.

Forward the entire email, with full headers turned on (for
tracking), to the legitimate organization being impersonated in the
message. Most organizations have information on their websites
about where to report problems. Access the company through a web
address that you know to be genuine, not from a link in the email.
Do not click on the email thinking you are going to get to the
legitimate site.

You may also report phishing scams to local
law enforcement authorities or as directed in the following
websites.